diff options
| author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2024-07-20 16:35:48 -0700 |
|---|---|---|
| committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2024-07-20 16:44:05 -0700 |
| commit | eb8370d5e4cf3d68f05b679d3679f695542eddb1 (patch) | |
| tree | e7e6410b469b3b857f5e7e5fa8aae430024a7b8a /src/XRecord.c | |
| parent | c542acce77be47156e53b74f5f9ca7156b3de7f5 (diff) | |
XRecordGetContext: Avoid double free in error path
XRecordFreeState() will handle the free for us, so let it.
Found by gcc 14.1:
XRecord.c:514:31: warning: use after ‘free’ of ‘*state.client_info + i * 8’
[CWE-416] [-Wanalyzer-use-after-free]
514 | if (state->client_info[i]->ranges) {
| ~~~~~~~~~~~~~~~~~~^~~
[...]
| 455 | free(client_inf);
| | ~~~~~~~~~~~~~~~~
| | |
| | (18) freed here
Fixes: e7e04b7 ("integer overflow in XRecordGetContext() [CVE-2013-2063]")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxtst/-/merge_requests/7>
Diffstat (limited to 'src/XRecord.c')
| -rw-r--r-- | src/XRecord.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/src/XRecord.c b/src/XRecord.c index e5357b9..efa47bd 100644 --- a/src/XRecord.c +++ b/src/XRecord.c @@ -452,10 +452,9 @@ XRecordGetContext(Display *dpy, XRecordContext context, ret->client_info = client_inf; if (!client_inf || !client_inf_str) { - free(client_inf); _XEatDataWords (dpy, rep.length); UnlockDisplay(dpy); - XRecordFreeState(ret); + XRecordFreeState(ret); /* frees ret->client_info, aka client_inf */ SyncHandle(); return 0; } |